The evolution of Microsoft Threat Protection, February update

February 13, 2019

February is an exciting month of enhancements for Microsoft Threat Protection. For those who have followed our monthly updates (November, December, and January), you’re aware that Microsoft Threat Protection helps provide users optimal security from the moment they sign in, use email, work on documents, or utilize cloud applications. IT administrators benefit from minimal complexity while staying ahead of threats to their organization. Microsoft Threat Protection is one of the few available services helping provide comprehensive security across multiple attack vectors. This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protection—ensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, we’re excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog post and please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organization’s security environment. The new Microsoft 365 security center (which can be accessed at security.microsoft.com) provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. We’ll be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protection’s ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate in Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.